popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Information about the reservation.scr

Malicious Library Antivirus UPX Malicious Packer OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 11, 2023, 10:06 a.m. Sept. 11, 2023, 10:08 a.m.
Size 952.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c932efa508ef39e723186177a7a885f7
SHA256 3a42cc7e2fe0b899116b5e8890d2865f53b29752a56c230caa55a5d02953faa3
CRC32 4CE53E38
ssdeep 24576:pTHiqXUJXXHx1uOb/OWgiAJEvcDdXKZDNC1J8Am1:prDUJnHx1NjOW/AJE0dXKZDNKI
PDB Path C:\vmagent_new\bin\joblist\276951\out\Release\360UDiskGuard.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • Antivirus - Contains references to security software
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
cff.org
A 151.101.1.193
151.101.1.193
IP Address Status Action
151.101.1.193 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 151.101.1.193:443 -> 192.168.56.101:49178 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49162 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49174 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49191 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49161 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49164 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49165 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49196 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49176 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49209 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49186 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49192 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49185 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49187 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49173 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49194 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49181 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49214 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49189 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49180 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49216 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49183 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49190 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49198 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49221 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49184 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49215 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49188 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49201 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49222 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49205 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49197 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49208 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49203 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49210 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49206 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49212 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49213 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49218 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49217 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 151.101.1.193:443 -> 192.168.56.101:49220 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 151.101.1.193:443 -> 192.168.56.101:49224 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49223 -> 151.101.1.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

pdb_path C:\vmagent_new\bin\joblist\276951\out\Release\360UDiskGuard.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name PNG
resource name TPA
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name PNG language LANG_CHINESE filetype PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00047068 size 0x00001228
name TPA language LANG_CHINESE filetype PNG image data, 423 x 597, 8-bit/color RGB, non-interlaced sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00048290 size 0x000a2e5b
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000eb0ec size 0x00000988
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ebf68 size 0x0000037e
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ebf68 size 0x0000037e
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ebf68 size 0x0000037e
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ec5e0 size 0x00000654
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ec5e0 size 0x00000654
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ec5e0 size 0x00000654
name RT_ACCELERATOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ecc34 size 0x00000070
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ecd24 size 0x00000014
name RT_MANIFEST language LANG_CHINESE filetype ASCII text, with very long lines, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000ecf78 size 0x000002ca
section {u'size_of_data': u'0x000ab400', u'virtual_address': u'0x00042000', u'entropy': 7.929575468585512, u'name': u'.rsrc', u'virtual_size': u'0x000ab242'} entropy 7.92957546859 description A section with a high entropy has been found
entropy 0.727562400425 description Overall entropy of this PE file is high
Lionic Trojan.Win32.Vidar.4!c
MicroWorld-eScan Gen:Variant.Zusy.488142
Malwarebytes Malware.AI.962730710
VIPRE Gen:Variant.Zusy.488142
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Gen:Variant.Zusy.488142
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_100% (W)
Symantec Trojan Horse
tehtris Generic.Malware
Kaspersky Trojan-PSW.Win32.Vidar.crb
Alibaba TrojanPSW:Win32/Vidar.b297b645
Rising Stealer.Vidar!8.11173 (CLOUD)
Sophos Mal/Generic-S
F-Secure Trojan.TR/PSW.Vidar.qnfza
Zillya Trojan.Vidar.Win32.560
TrendMicro TrojanSpy.Win32.VIDAR.YXDIJZ
McAfee-GW-Edition Artemis!Trojan
FireEye Gen:Variant.Zusy.488142
Emsisoft Gen:Variant.Zusy.488142 (B)
GData Gen:Variant.Zusy.488142
Webroot W32.Malware.Gen
Avira TR/PSW.Vidar.qnfza
Gridinsoft Spy.Win32.Vidar.bot
Arcabit Trojan.Zusy.D772CE
ZoneAlarm Trojan-PSW.Win32.Vidar.crb
Microsoft Trojan:Win32/Zusy
AhnLab-V3 Trojan/Win.Leonem.C5479855
McAfee Artemis!C932EFA508EF
MAX malware (ai score=87)
DeepInstinct MALICIOUS
VBA32 BScope.Backdoor.Remcos
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win32.VIDAR.YXDIJZ
Tencent Win32.Trojan-QQPass.QQRob.Ngil
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:Malware-gen
Avast Win32:Malware-gen